Improper neutralization of data within XPath expressions ('XPath Injection')

ID

javascript.xpath_injection

Severity

high

Resource

Injection

Language

JavaScript

Tags

CWE:643, NIST.SP.800-53, OWASP:2021:A3, PCI-DSS:6.5.1

Description

Improper neutralization of data within XPath expressions ('XPath Injection').

XPath is a query language used to select nodes from XML documents. Similar to SQL injection, XPath Injection involves manipulating the structure of queries using user-supplied input. When the software fails to sanitize input properly, attackers can insert malicious characters or expressions that alter the intended query, potentially exposing sensitive information or allowing access to unauthorized data.

Rationale

Hardcoding cryptographic keys in source code is a risky practice as it exposes sensitive information that should remain secret. The concern arises because hardcoded keys are not modifiable without a code change, making them an attractive target for attackers who can access the source code or binaries.

The following is an example of an XPath Injection vulnerability:

const xpath = require('xpath');
// Imagine an XML source for access control...
var doc = loadXml(dom);
// ...

var username = req.params.user; // user-controlled input

// FLAW - vulnerable to XPath Injection
var allowed = xpath.select1(`//allowed[@user='${username}']/permissions`, doc);

Remediation

To remediate this vulnerability, cryptographic keys should be managed securely, never hardcoding them in source code. Instead, use environmental variables, configuration files, or dedicated secrets management services that provide secure storage and retrieval of sensitive data.

An alternative is to perform cryptographic operations using an external, managed service. Known as Key Management Services (KMS), they provide different features including key generation and storage, key rotation and lifecycle management, encryption / decryption and other cryptographic operations like digital signatures, key wrapping, secure random number generation, etc.

In the previous example, the vulnerability can be fixed with parameterized query, with additional whitelist validation:

const xpath = require('xpath');
// Imagine an XML source for access control...
var doc = loadXml(dom);
// ...

const
  validate = require('validate.js'),
  usernameValidation = {
    presence: true,
    format: { pattern: /^[a-z0-9._-]{2,16}$/i, message: 'Invalid username' }
  };

var username = req.params.user; // user-controlled input
// FIXED: Strict validation of the input, makes XPath injection impossible
var errors = validate.single(username, usernameValidation);

if (errors) {
  return res.status(400).send(errors);
}

// FIXED - use parameterized query: username is NOT interpolated
var evaluator = xpath.parse("//allowed[@user=$user]/permissions");
var allowed = evaluator.select1(node: doc, variables: {user: username});

Configuration

The detector has the following configurable parameters:

  • sources, that indicates the source kinds to check.

  • neutralizations, that indicates the neutralization kinds to check.

Unless you need to change the default behavior, you typically do not need to configure this detector.

References

  • CWE-643 : Improper Neutralization of Data within XPath Expressions ('XPath Injection').

  • OWASP Top 10 2021 - A03 : Injection.